Cloud computing is a form of network-accessible computing that provides shared computer processing resources and data to computers and other devices on demand over the Internet. Cloud computing enables the on-demand access to a shared pool of configurable computing resources, such as computer networks, servers, storage, applications, and services. Given the vast resources available on the cloud, cloud workload security has become increasingly important. In cloud computing systems, as well as conventional computer systems, a wide variety of alerts can be generated on the systems that resemble potential network attacks. To render a particular collection of alerts meaningful to a system administrator, the alerts are often grouped into incidents, or chains of alerts, that are related to each other. Instead of notifying the system administrator of each individual alert generated, the administrator can focus on alerts resembling attacks that are likely legitimate, rather than a harmless collection of alerts generated by Internet noise.
Several methods exist for correlating security alerts. One method of grouping such alerts is to locate alerts that appear close in time to each other, which may indicate an ongoing progression of an attack or an attack's advancement in a kill chain. However, in many cases, even when alerts appear to be temporally related, the alerts may nevertheless be unrelated to each other, leading to false positives being notified to the system administrator in charge of incident response. Alerts may also be validated not just by their temporal relationships to other alerts, but also by examining context associated with an alert. If an alert shares the same context with another alert, a system can deduce that a particular collection of alerts is part of a single security incident, and accordingly notify an administrator of the security incident. However, such a process requires additional resources, such as additional system administrators to constantly monitor and generate new rules. As both the number of connected systems and the number of potential attacks increases, the less scalable such an approach becomes.